Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

Published byFrederick May Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)"— Presentation transcript:

1 Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

2 Cryptanalysis of the Revised NTRU Signature Scheme/ 2 A Brief History of NSS “Preliminary NSS” Presented at Crypto 2000 Rump Broken by Mironov, and by the inventors NSS in Eurocrypt 2001 proceedings Forgery / key recovery attacks presented at Eurocrypt Rump by Gentry, Jonsson, Stern, and Szydlo Motivated new key-gen, sign, and verify procedures “Revised” NSS Sketched at Eurocrypt 2001, details in EESS doc (May) Still insecure – we give key recovery attacks…

3 Cryptanalysis of the Revised NTRU Signature Scheme/ 3 Revised NSS, Details Basic Elements are Polynomials. Full (unreduced ring) is Z[x]/(x N -1), (N = 251) ( Also Called Cyclotomic Integers). Multiplication in ring also called convolution. Auxiliary Rings and Polynomials Truncated Polynomial Ring Z[x]/(x N -1) mod 128 A Small Polynomial” has only {-1,0,1} coefficients.

4 Cryptanalysis of the Revised NTRU Signature Scheme/ 4 Key Generation Private Components f1, g1, u  Z[x]/(x N -1) are small polynomials. (standardized number of {-1,0,1} coefficients). f=3*f1+u, and g=3*g1+u. are computed. Let v be the small polynomial with u*v=1 (mod 3). The private key components are (f,g,v) Public Components Let f_inv be a polynomial with f*f_inv=1 (mod 128). Let h be f_inv*g (mod 128). The public key is (h)

5 Cryptanalysis of the Revised NTRU Signature Scheme/ 5 Signature Signature (s, t) is computed from f, g, v and message m Algorithm: Let w1,w2 be random small masking polynomials. (Generated by a sub-algorithm). Let w0 be the small poly. with w0=(m+w1) (mod 3). Let s=f*(w0+3w2) (mod 128) Let t=g*(w0+3w2) (mod 128) The signature is (s, t). (Note t is also publicly computable from s and h)

6 Cryptanalysis of the Revised NTRU Signature Scheme/ 6 Verification Multiple Tests, including Norm Conditions Use division modulo 128 and centered norm. | (s-m)/p | < B, and | (t-m) | < B. | (s-t)/p | < B2, and | (t-m) | < B. Distribution Tests “Mod 3” - Bounds on # coefs of s & t (mod 3). “Quartile” - Bounds # of coefs in [-64,64] Thus s and t appear to be from right distribution.

7 Cryptanalysis of the Revised NTRU Signature Scheme/ 7 Lifting the Signatures Design motivation of reduction mod q Hide more information about f and g. Only known lattice was dimension 2N. (NTRU Lattice) “Unreduced” signatures would allow dim N. Attacks. For “equivalent” security use half the key size Lifting Technique: Apply CRT to congruences: f*w=m+w1 (mod 3), s=m (mod 128) The unknown w1 coefs. are mostly 0. Result: Nearly have the lifted multiples: f * w and g * w Approximations have about 25 errors (out of 251)

8 Cryptanalysis of the Revised NTRU Signature Scheme/ 8 Finishing the Lifting Goal: Find f * w and g * w, error-free. Take short transcript of signatures: Observation: We know correct liftings (f * w i ) * (g * w j ) – (f * w j ) * (g * w i ) = 0 S i * T j – S j * T i Measures the errors Iterative Error-Correction: Choose the correction to (S i, T i ) that sends S i * T j – S j * T i closest to 0. 4 signatures, 25 seconds  we get unreduced signatures (S i, T j )

9 Cryptanalysis of the Revised NTRU Signature Scheme/ 9 We Could Stop Here By finding unreduced f * w and g * w, we’ve already broken revised NSS. Dim N lattice (instead of 2N) – exp. easier to reduce w is GCD

10 Cryptanalysis of the Revised NTRU Signature Scheme/10 Computing f * f rev Quickly We average sigs to obtain f * f rev approximately. S * S rev   f * f rev Converges Quickly! We use approximation in N/2 Dim CVP lattice. With < 10 sigs (to obtain approx), LLL gives us f * f rev exactly.

11 Cryptanalysis of the Revised NTRU Signature Scheme/ 11 A Polynomial-time Approach Textbook GCD approach appears to be exp. in N Our approach: Polynomial in N (after experimentally very fast steps) Preliminary step Fast step: Compute f * f rev. Poly step: Use f * f rev and f * w to compute f. Running times: Fast step: Less than 1 minute for sugg. parameters Poly step: Not implimented, but provably O(N 7 ).

12 Cryptanalysis of the Revised NTRU Signature Scheme/ 12 Get f from f * f rev and f * w in Polynomial-time We help LLL – it doesn’t always find shortest vector! Fact: f p-1  1 (mod p) for prime p  1 (mod N) Use LLL to get f p-1 * a. We know a (mod p), thus maybe a exactly. Compute f p-1. Not difficult to compute f from power of f. This algorithm is efficient because LLL does not have to find the shortest vector in the lattice.

13 Cryptanalysis of the Revised NTRU Signature Scheme/ 13 Other Attacks Polynomial attack shows can’t just increase key size Alternate attacks using Lattices might be more efficient. Compute the ratio g/f in Z[x]/(x N -1) mod Q. Bigger Q improves lattice constants. Can translate into traditional Knapsack Gram Matrix Attack: (find the circulant M_f) A known matrix M defines GCD (f). Let G= U*U_rev= UF M_(1/f*f_rev) F_rev U_rev. Factor G with “modular-Gram-LLL”

14 Cryptanalysis of the Revised NTRU Signature Scheme/ 14 Conclusion These attacks render revised NSS (with sugg. parameters) very weak. We have presented a 3-Stage Attack First 2 stages very fast, use about 10 sigs. Last stage polynomial in N. First stage is enough to dramatically reduce its security.

Download ppt "Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)"

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Public Key Systems Public Key Systems 1.

Public Key Systems Public Key Systems 1.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.

Similar presentations

Ads by Google